Be called back
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
Personal data processing operations that could entail high risks for the rights and freedoms of data subjects require a risk assessment.
What is a risk assessment? And how do you go about it?
If you have identified personal data processing operations that could pose a high risk to the rights and freedoms of data subjects, you will need to carry out what is known as a data protection risk assessment.
In fact, you need to carry out this assessment for all these treatments.
A Data Protection Impact Assessment (DPIA) is a data protection impact analysis that enables you to design your data processing operations in a privacy-friendly way. It is an analysis that enables you to demonstrate the compliance of your GDPR processing operations.
In addition, the Data Protection Impact Assessment (DPIA ) is a privacy impact assessment tool based on two main pillars:
Here's what an AIPD contains:
- A description of the processing operation and its purpose.
- An assessment of the necessity and proportionality of the processing operations with regard to the purposes for which they are to be carried out.
- An assessment of the risks to the rights and freedoms of the people concerned, and the measures envisaged to address these risks.
The Personal Data Protection Impact Assessment is considered to be good practice, given that it allows you to ensure that all the processing you do is GDPR. Processings that may, of course, be likely or unlikely to have a high risk on the privacy of data subjects.
It is advisable to carry out a DPIA even before implementing a treatment. Analyses should be reviewed and corrected on a regular basis, especially after major changes in treatment methods.
Furthermore, according to Article 35 of the GDPR, it is imperative to carry out a Personal Data Protection Impact Assessment for any processing likely to have risks for the rights of data subjects as well as their privacy. The CNIL (National Commission for Information Technology and Civil Liberties) has identified 9 criteria in the G29 guidelines to determine whether your processing could potentially have such risks:
If you identify at least 2 of these criteria in one of your processes, the CNIL (National Commission for Information Technology and Civil Liberties) recommends that you carry out an AIPD.
The CNIL (National Commission for Information Technology and Civil Liberties) has published a catalog of best practices which will certainly help you to carry out a DPIA and identify which of your processing operations are likely to pose a risk to the protection of the rights and freedoms of the persons concerned.
Among these tools, you'll find a Beta version of the PIA software.
A software program that makes it easier to formalize this analysis.